Method and apparatus for external control planes to cryptographically trust software artifacts launched at public cloud providers
Abstract
A system, method, and computer-readable medium for performing a data center monitoring and management operation. The data center monitoring and management operation includes: submitting a request for a workload instance to a cloud service provider; establishing a secure communication channel between the cloud service provider and a data center monitoring and management console; exchanging information between the cloud service provider and the data center monitoring and management console via the secure communication channel, the information including a verifiable workload instance identity; and, using the verifiable workload instance identity to authenticate a workload instance provided by the cloud service provider.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer-implementable method for performing a data center monitoring and management operation, comprising:
submitting a request for a workload instance to a cloud service provider;
establishing a secure communication channel between the cloud service provider and a data center monitoring and management console;
exchanging information between the cloud service provider and the data center monitoring and management console via the secure communication channel, the information including a verifiable workload instance identity, the verifiable workload instance identity being unique, linked by the cloud service provider to the workload instance and cryptographically verifiable; and,
using the verifiable workload instance identity to authenticate a workload instance provided by the cloud service provider, the data center monitoring and management console authenticating the workload instance.
2. The method of claim 1 , wherein:
the secure connection is established using a public key provided by the cloud service provider.
3. The method of claim 2 , wherein:
the data center monitoring and management console comprises a workload authentication system; and,
the workload authentication system verifies a signature of the cloud service provider using the public key provided by the cloud service provider and stores with verifiable workload instance identity.
4. The method of claim 2 , wherein:
the cloud service provider generates a certificate signing request (CSR) when establishing the secure communication channel between the cloud service provider and a data center monitoring and management console.
5. The method of claim 4 , wherein:
the workload authentication system processes the CSR to generate a signed certificate containing an authenticated workload identity.
6. The method of claim 1 , further comprising:
initiating an instance of a requested workload; and,
retrieving the verifiable instance identity when the instance of the requested workload is initiated.
7. A system comprising:
a processor;
a data bus coupled to the processor; and,
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for:
submitting a request for a workload instance to a cloud service provider;
establishing a secure communication channel between the cloud service provider and a data center monitoring and management console;
exchanging information between the cloud service provider and the data center monitoring and management console via the secure communication channel, the information including a verifiable workload instance identity, the verifiable workload instance identity being unique, linked by the cloud service provider to the workload instance and cryptographically verifiable; and,
using the verifiable workload instance identity to authenticate a workload instance provided by the cloud service provider, the data center monitoring and management console authenticating the workload instance.
8. The system of claim 7 , wherein:
the secure connection is established using a public key provided by the cloud service provider.
9. The system of claim 8 , wherein:
the data center monitoring and management console comprises a workload authentication system; and,
the workload authentication system verifies a signature of the cloud service provider using the public key provided by the cloud service provider and stores with verifiable workload instance identity.
10. The system of claim 8 , wherein:
the cloud service provider generates a certificate signing request (CSR) when establishing the secure communication channel between the cloud service provider and a data center monitoring and management console.
11. The system of claim 10 , wherein:
the workload authentication system processes the CSR to generate a signed certificate containing an authenticated workload identity.
12. The system of claim 7 , wherein the instructions executable by the processor are further configured for:
initiating an instance of a requested workload; and,
retrieving the verifiable instance identity when the instance of the requested workload is initiated.
13. A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
submitting a request for a workload instance to a cloud service provider;
establishing a secure communication channel between the cloud service provider and a data center monitoring and management console;
exchanging information between the cloud service provider and the data center monitoring and management console via the secure communication channel, the information including a verifiable workload instance identity, the verifiable workload instance identity being unique, linked by the cloud service provider to the workload instance and cryptographically verifiable; and,
using the verifiable workload instance identity to authenticate a workload instance provided by the cloud service provider, the data center monitoring and management console authenticating the workload instance.
14. The non-transitory, computer-readable storage medium of claim 13 , wherein:
the secure connection is established using a public key provided by the cloud service provider.
15. The non-transitory, computer-readable storage medium of claim 14 , wherein:
the data center monitoring and management console comprises a workload authentication system; and,
the workload authentication system verifies a signature of the cloud service provider using the public key provided by the cloud service provider and stores with verifiable workload instance identity.
16. The non-transitory, computer-readable storage medium of claim 14 , wherein:
the cloud service provider generates a certificate signing request (CSR) when establishing the secure communication channel between the cloud service provider and a data center monitoring and management console.
17. The non-transitory, computer-readable storage medium of claim 13 , wherein:
the workload authentication system processes the CSR to generate a signed certificate containing an authenticated workload identity.
18. The non-transitory, computer-readable storage medium of claim 17 , wherein the computer executable instructions are further configured for:
initiating an instance of a requested workload; and,
retrieving the verifiable instance identity when the instance of the requested workload is initiated.
19. The non-transitory, computer-readable storage medium of claim 13 , wherein:
the computer executable instructions are deployable to a client system from a server system at a remote location.
20. The non-transitory, computer-readable storage medium of claim 13 , wherein:
the computer executable instructions are provided by a service provider to a user on an on-demand basis.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.